Slashdot videos: Now with more Slashdot!

View

Discuss

Share

We've improved Slashdot's video section; now you can view our video interviews, product close-ups and site visits with all the usual Slashdot options to comment, share, etc. No more walled garden! It's a work in progress -- we hope you'll check it out (Learn more about the recent updates).

Zocalo writes "In a post to the Nmap Hackers list Nmap author Fyodor accuses Download.com of wrapping a trojan installer (as detected by various AV applications when submitted to VirusTotal) around software including Nmap and VLC Media Player. The C|Net installer bundles a toolbar, changes browser settings, and, potentially, performs other shenanigans — all under the logo of the application the user thought they might have been downloading. Apparently, this isn't the first time they have done this, either."

Download.com have always done this... I thought this was how they funded the site.

This may be true, but doesn't shadow the efforts of those irritated enough to stand up and say something. Hats off to Fyodor for bringing it to light in hopes that things change.

And as knowledgeable as the average user has (been forced to) become about spyware and malware, Download.com should listen, because it's obviously not just those uploading content that keeps them in business. Let's hope they don't react and generate that stench of arrogance around themselves, not unlike many large businesses today that think they're "too big to fail", and could care less what their customers think.

(I am not an expert on these things so bear with me): But what I understood is that when they created a new installer to install the unmodified software (let's say firefox) with another software ( the adware) this can't be thought as an infringement... Or the software can be only installed via it's original installer ?

The new installer is a "derivative work", and you can specify that derivative works must not use the original trademarks. Mozilla and RedHat are both very strict about this: the source is open and free and all but you keep their name out of your modified stuff.

So this is my question: Is installing it via a different installer ( than the original one) is considered a derivative work? Even though the program is identical to the one installed with the default installer.

Honestly, the whole story is nonsense created an a very ignorant person. Free software was never intended to keep programmers from making a living

Sorry but no. The whole story is a very real warning to a user community that a large company is acting in an unethical and immoral manner by trading on the name and reputation of someone else.

Making money through advertising on the download site isn't causing any problem. Pretending to offer Fyodor's downloader while in fact seeking to install other software is a trojan attack and bad behaviour no matter how you look at it.

Calling this nonsense fails to understand the key issue and misrepresents both the complaint, and the complainant.

the problem is folks now blaming the original software writer for1 mucking about with browser settings2 installing adware3 installing who knows what else??

How would you like it if you wrote a program (lets say its a conversion calculator) and then hosted your downloads on download.comand THEY WITHOUT TELLING YOU decided to bundle Diapered Dolls Slideshow 2012 (4-7 edition) and then made that the default screensaver (and locked the settings)???

And/or you can insist on derivative works keeping to the original licence, so for example Download.com would be obliged to make the source code of whatever changes they made available. Doesn't stop them obfuscating it, but it does at least mean people can (with work, in theory) find out what the program does before they actually run it.

That's what I finally had to do, when some entity (might've been download.com, might've been someone else) offered an alternative download location for my software - which bundled some sort of malware installer onto my software. After one attempt to remove them as an alternate, I was told I could request my software be removed, and that's what I did. This occurred back in 2004. [degreez.net]

Sorry but this is old new and why most of us builders have been avoiding CNet like the clap for awhile. I'd loved to see their before and after website visits stats because i wouldn't be surprised if many are doing like me and the instant they see the article is on CNet closing the tab.

For those that need that "80%" software, the stuff you pretty much install on every system? Let old Hairy introduce to a really nice place with a weird name...Ninite [ninite.com]. it has all the latest versions of the software everyone installs, your flash, codec packs, VLC, LibreOffice, several AV and antimal to choose from, and NO TOOLBARS are allowed, no crapware, just the program you want pre-packaged as an unattended installer that's as simple as "clicky clicky" and let her run. great for not only new builds but when you need to help someone who lives a good distance away who is having trouble or doesn't know where to find the above basics.

I used to swing by CNet all the time back in the day but since i don't support spammers and spyware pushers they can go pound sand. With ninite all the basics are covered and if you can think of others you'd like just drop their name in the suggestion box and they'll add the most popular choices to the list. I suggested Klite with MPC and voila! There it is, and more popular apps are being added all the time. Enjoy folks!

It's even more stupid that Google has started offering Chrome just the same way like every other adware vendor - by offering freeware and shareware authors, and the likes of Download.com, money per install they get. This leads to software authors and download sites bundling it with unrelated software and pushing it to users since they get paid for it. They always used to do this with their toolbar, but of course now they switched it to Chrome. I've seen people using Chrome and when asked why they changed, they had no idea. Either it came with some other software or "Google said on internet that you need to download this to make your browsing better" and they thought fine. No wonder they gained that 25% market share so quickly...

I like FileHippo [filehippo.com] more. It has a bigger collection than ninite, and it tracks both stable and beta versions of most free software and freeware on Windows. They also have a useful (and a completely optional download) update utility that checks if there are any updates available for software on your computer. If yes, you can let it update from their website. It's pretty awesome, all in all.

http://www.freewarefiles.com/ [freewarefiles.com] is also a solid site. I have had some exchanges with the site owners before and they seem to be reputable. They run ads, but other than that there is no funny business. The site has been around for quite a while.

Does ninite prevent developer included crapware? Specifically looking at uTorrent here which is notorius for giving you check boxes concerning crapware and then installing it anyway regardless of what you checked.

Yes it is news for me.I submitted something I wrote a while back and it used to offer the file the way I uploaded it. I just checked and sure enough my download is now wrapped in a Cnet installer. Now I need to dig out my account info and remove my software listing because this is fucking BULLSHIT!

Yes, they have, or at least it seems like it. The difference this time is that in addition to an abuse of the registered Nmap trademark Fyodor also has them in a clear breach of the NMAP licensing Ts&Cs and it appears he's willing to try and pursue the matter through the courts. I did have a strapline on the original submission to the effect that he was looking for a good US based copyright lawyer, but it appears that the Slashdot editors decided that wasn't an important part of the story.

New to some of us? No. Honestly though, does it hurt to spread the word as much as possible though? I think not. CNet can go to hell. It's bad enough when the program makers do it but now the place offering downloads is packing this shit in? Seriously? They don't think the program makers might be a little bit pissed off at this prospect?

No, they have not always done this. It just started this year. As a software author who publishes on CNet in addition to many other sites and my own, I was horrified to be notified this year that this was going to take place. They completely repackage the software, wrapping it with their adware crap. I immediately fired off a vehement email telling them not to do this with my software, but CNet does what they want to do and getting them to do anything without giving them money is a process that usually takes about 6 to 12 months (they pissed me off years ago and it took FOREVER to get de-listed). They are essentially abusing their power they have over software authors who need to publish on CNet (by far the most high traffic DL site on the net). I don't really need to publish on CNet but it used to be a badge of honor and a sign of credibility to be published there. I don't consider it as such any more.

Can we all agree that downloading free software is stealing from poor programmers who have to live in their mother's basement because they're so poor they cannot even afford their own place? And that as we can read in TFA downloading free software supports criminal activities, and is therefore terrorism? And that this probably means you're a communist child-abusing terrorist?

Download.com has been funded by bullshit third-party software addons for as long as I can remember. AFAIK, they only recently started this practice of causing the user to download a downloader which would first go through the third-party addons before downloading the actual installer... but it's not like it's any different than before. Yeah, lots of people will just click through and accept everything and that's their fault for not reading things before agreeing to them. Don't blame a free service operated by a for-profit corporation for wanting to make money. Host the Nmap installer yourself if you think it's so easy.

Fyodor actually *DOES* host the installer. He never gave them permission to repackage it. In fact, the software license prohibits this explicitly.
From the article:
"This is exactly why Nmap isn't under the plain GPL. Our license (http://nmap.org/book/man-legal.html) specifically adds a clause forbidding software which "integrates/includes/aggregates Nmap into a proprietary executable installer" unless that software itself conforms to various GPL requirements (this proprietary C|Net download.com software and the toolbar don't)."
So yeah, I can blame them. If you read the fucking article you would know this.
p.s. Yes, I said that the parent should have read the article. No, I am not new here, but that doesn't mean that I, or anyone else, should tolerate willfully uninformed bullshit spouting.

There are a few reasons software repositories are popular that I can think of off the top of my head.

Much like an "app store" for smart phone apps, its convenient to have 1 place to go to look for an app, when you have general requirements or a specific type of app in mind, and not so much a specific app.

People are creatures of habit, and once they learn how to use the download.com ( or some other site like freshmeat.net ) interface, they just return to it out of habit, and the fact that they already know how to search and navigate the site.

As for why developers use sites like this, the visibility factor comes into play. Since the repositories have a returning user base, the app becomes that much more visible, as opposed to getting lost in search engine results.

Another incentive for small developers, is the bandwidth. They dont have to manage the large amount of bandwidth required to deliver apps, the repository does this. They also don't have to pay for a commercial ISP account that allows them to run servers, as most residential account agreements forbid the operation of servers ( although only in agreement, not necessarily technically prevented. )

People are creatures of habit, and once they learn how to use the download.com ( or some other site like freshmeat.net ) interface, they just return to it out of habit, and the fact that they already know how to search and navigate the site.

Thought here's a small but crucial difference between download.com and freshmeat/whatevertheheckit'snowadays: Download.com hosts stuff, while freshmeat just listed and categorised software, linking to developers. The details on where to get the software are posted by the developer on freshmeat. You get the software exactly where the developer wants you to get the software. A choosy user can then download the source or official binaries or just say "hey, it looks like it's already packaged in my distro".

then you're not the kind of user they want - you will just cost them bandwidth without helping them make money from bundled crap.

This could indeed be the case. The issue I have with wrapping the download, is that its somewhat of a below the table tactic. I, the user, want a file. I don't want spyware or adware installed, even if I'm being made aware of it, which I suspect most users aren't being made aware of it. ( Sure, its probably buried somewhere in fine print legalize, but thats not awareness, thats legal liability dismissal / transfer.)

What I wouldn't mind, is if download.com showed advertisements, and used the revenue to pa

Another issue I didn't like, as a software author, is that they make money when people install my software via their download and I get fucking ZERO from it when I was the one adding ALL the value to the transaction.

I liked it years ago. They made it easy to search for a function and get a list of windows software that did it. Back then I usually couldn't find who made software that did what I needed done. I coudn't go to the software producer's site, because I didn't know who he was. Now I just google around a bit, search some forums and hope for the best. In my eyes they already screwed up when they allowed sw developers to promote the features of the full (paid) version in the description of the free version without any indication the free version didn't include the feature.

Not if you pay them. I'm not talking about Rapidshare Premium or anything, I mean you can actually legitimately pay them for distribution of your legitimate files. No wait screens, no slow downloads, it's like everyone who downloads your file is premium from their perspective. You just pay for hosting.

Not much of advantage anymore. You can just host on rapidshare/megaupload/similar site.

And that's why people (used to) go to Download.com.

If I'm looking for warez I might go to rapidshare/megaupload/similar site. And I'll assume anything I get from those sites has a trojan/virus/bot until I can prove otherwise.

If I know what app or utility I need, I'll go directly to that site. If I don't have a particular name in mind, I used to go to Download.com. For example, I recently needed to get some updated codecs, but didn't know the exact package or provider I needed.

If you're "looking for warez", those are the last stop, not first one. They host whatever it is that you want them to host. They only offer downloads of material that other people chose to to upload to them. The main reason why anti-piracy outlets like to paint them as "omg warez" is because they are free to use, fast, and you can only get the download if you have the proper link - there is no directory.

You sound like your typical ignorant person who just swallows whatever media tells him at face value, and

To have all software in one place, compare them, see how highly they're rated, and see all the user reviews is very valuable to me.
But to download it? Just use Softpedia.com [softpedia.com] instead (which is almost as popular as Download.com, and avoids all the spamware).

Obviously a few bad apples will it through any software portal you care to mention, but Softpedia does not include the spamware 'installer' that Download.com is infamous for.
For the record, my own software is on there, and Softpedia supply exactly the same file (as expected).

You never see anything like this from Linux repositories simply because Linux users would never stand for it. Many (maybe most) of the Windows users I know accept malware and crapware as just the unavoidable cost of getting what they need or want in a convenient way.

So it's a cultural thing, and it will take a lot of user education to create a higher level of expectation. The trouble is that I don't see from where the incentive to provide that education is going to come, interests in the MS ecosystem being

If we warn the past about an event like 9/11, and they actually DO something about it, what happens then? Would the American government spin it even further out of proportion, claiming the attacks would have used nukes and biological weapons? There's no way of knowing for certain.

We know what we have: A world that is worse off than before, yes, but not on the brink of having the planet destroyed. With the possibility that we could make things a lot worse and start World

if someone had went back in time and removed the stupid wrapper from downloads downloads, would this article be here?problem with trying to decide if you should send a message back in time is that if you did send the message, you already sent it.time travel stories are for books and games like crono trigger and day of the tentacle.

honestly, the wrapper wouldn't be such a bad thing if download just checked that the sw they're offering at least worked.

1) if they actually do something, it means the many worlds hypothesis is true, and the divergent timeline occurs in a different quantum universe.

2) if the get the message, and do nothing, then you could have created a closed timelike curve, and doomed your own universe to experience the exact timeline you are reporting on. This closed timelike curve would be an indelible part of that universe's history, both present, past and future. (The time after the event creates the preceeding event, which causes the event to happen. Rinse, repeate until dizzy.) (It could also simply be another instance of the many worlds hypothesis being true though.)

3) attempts at bidirectional communication would be systematically prevented by quantum collapse. All attempts to talk to 1999 on the other end of the call would mysteriously fail 100% of the time, even if the theory behind such a transmission seems sound.

4) 1999 calls us using a one way temporal transmission device. (Like an ordinary metal time capsule.) Communication is received, but no reply can be sent.

Of these 4 options, 4 and 3 are the most likely scenarios for "1999 called, they want...." happening. #4 being the most likely.

"If we warn the past about an event like 9/11, and they actually DO something about it, what happens then? Would the American government spin it even further out of proportion, claiming the attacks would have used nukes and biological weapons? There's no way of knowing for certain.

We know what we have: A world that is worse off than before, yes, but not on the brink of having the planet destroyed. With the possibility that we could make things a lot worse and start World War III, is is really sensible to se

Not in this case. The warning would simply be "these planes are going to be hijacked on this day". Don't include "and they're going to fly them into buildings". They would simply assume what everyone on the planes assumed, that the hijackers want to either be flown somewhere or want to use the plane and passengers as leverage in bargaining. The same thing plane hijackings had been used for for the prior couple of decades.

That is why they hijackers succeeded. Their real weapon was surprise and unpredictabili

1 go to a program's page2. click download now3. do not download the file that starts cnet_ or cnet2_ (if it doesn't start with cnet it's ok)4. add the &dlm=0 to the url in the address bar after the spi=whatever junk

enjoy the direct download.. and go to the source next time..or try filehippo or softpedia (either one with your adblocker running)

It's a shame, cnet and download.com used to be moderately safe ways of downloading new trial and freeware software. In my opinion shareware is now an outdated practice, with it now possible to find an open source equivalent for just commercial piece of software.

This extremely common practice of bundling garbage with every download is the cancer that is killing Windows freeware, and no, it's not limited to Download.com.

A while ago, when I was in-between jobs and looking for some freelance work, I stumbled upon an entire "community" of scammers known as PPI : Pay-Pay-Install. This forum was all about participating in these shady bundling practices, discussing the advertisers that were most tolerant to things like silent installs, home page swaps, BHO's that redirect your Google searches through a proxy (to hijack ad revenue), Vista sidebar widgets, toolbars, bookmarks, and start-up items, along with uploading deceptively named and heavily trojaned stuff via P2P. This is why, with every goddamned Windows utility you get these days, you get prompted to installt he Ask.com toolbar, BonziBuddy, free trials for McAfee's swiss cheese, and a laundry list of other standards.

CNet should indeed be made an example of, and burned to the ground, but they didn't start this gangbang, the advertisers did. Follow the money... There is no reason why users should tolerate this aberrant behaviour.

It's full of errors. Especially the spiel about alignment. In 64-bit mode you don't have to align everything to 64-bits for best performance, only 64-bit-sized values (including memory pointers). The example 16-bit value actually only needs 16-bit alignment for best performance, which is no different to the 32-bit version of the program.

2: The increase in the memory use of pointers doesn't explain Windows x64's extra 300MB of memory use. My bet is on it loading both 64-bit and 32-bit versions of a bunch of libraries in order to support various components of Windows that are still 32-bit (as well as any 32-bit software you run).

3: Saying that a 64-bit version of a program won't be faster... Two things are actually in favour of it being faster: 64-bit mode exposes more and larger registers to use, and also guarantees certain instruction set enhancements exist (SSE2). The latter especially is a huge speedup if you take advantage of it.

While this has been normal practice for shady rippoff sites like the ones mentioned for almost a decade, I do wonder if appropriate extensions to FOSS licences such as the GPL could actually prevent this. Or at least make the culprits liable for damages, copyright infringement and/or fraud.

If I were to work on a large FOSS project I would like to know that the software im contributing to doesn't legally end up on one of these fraudulent DL sites.

I'm part of the ScummVM group, a cross platform software for playing various classic adventure games, and the question of Download.com came up when we released the next version of our software. There were some arguments for including it on such sites, such as giving greater visibility to the project. However, the issue of the bundled 'crapware' was considered too big a downside. We weren't that desperate for wider coverage of our software, and we certainly didn't want people to adversely associate our software with malware.

It's bad enough without the malware. If you're trying to download a 40kB file, they make you download a MB of ads, and you have to navigate through half a dozen links to "Download" which just go to more advertising. Good luck finding that tiny link that actually goes to the file you want... but now even that doesn't go to the file you want. Greedy bastards.

Needed to install 7-zip on a windows computer, and was in a hurry, so I went to the first Google result instead of sourceforge.
I aborted the install when I saw the "install this great toolbar" button. Still, I almost messed up my friend's computer.
Important safety tip #1: Google doesn't always produce the result you really want anymore.
Important safety tip #2: when installing open source software, Sourceforge is probably where you want to look.

The downside is that CNet is deliberately preying on users' ignorance and installing software they don't want as well.

I fully believe users should take responsibility for what they install on their systems by at least looking at what they're installing but that doesn't preclude companies from leaving that crap out in the first place.

Assuming you are seriously asking and don't have your toung in your cheek: the key downside is that people will associate the trojan with your product, if they don't like the changes it makes to their systems they might blame you not cnet.